diff options
| -rw-r--r-- | man/systemd-system.conf.xml | 12 | ||||
| -rw-r--r-- | meson.build | 5 | ||||
| -rw-r--r-- | meson_options.txt | 2 | ||||
| -rw-r--r-- | src/core/execute.c | 10 | ||||
| -rw-r--r-- | src/core/main.c | 9 | ||||
| -rw-r--r-- | src/core/manager.c | 15 | ||||
| -rw-r--r-- | src/core/manager.h | 4 | ||||
| -rw-r--r-- | src/core/system.conf.in | 1 | ||||
| -rw-r--r-- | src/core/user.conf.in | 1 |
9 files changed, 53 insertions, 6 deletions
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml index 3fe2cbfdea..ef311f1971 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml @@ -525,6 +525,18 @@ details. Note that this setting has no effect on the OOM score adjustment value of the service manager process itself, it retains the original value set during its invocation.</para></listitem> </varlistentry> + + <varlistentry> + <term><varname>DefaultSmackProcessLabel=</varname></term> + + <listitem><para>Takes a <option>SMACK64</option> security label as the argument. The process executed + by a unit will be started under this label if <varname>SmackProcessLabel=</varname> is not set in the + unit. See <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for the details.</para> + + <para>If the value is <literal>/</literal>, only labels specified with <varname>SmackProcessLabel=</varname> + are assigned and the compile-time default is ignored.</para></listitem> + </varlistentry> </variablelist> </refsect1> diff --git a/meson.build b/meson.build index 7db7e5ea1d..b4fd369241 100644 --- a/meson.build +++ b/meson.build @@ -1167,6 +1167,11 @@ if have conf.set_quoted('SMACK_RUN_LABEL', get_option('smack-run-label')) endif +have = get_option('smack') and get_option('smack-default-process-label') != '' +if have + conf.set_quoted('SMACK_DEFAULT_PROCESS_LABEL', get_option('smack-default-process-label')) +endif + want_polkit = get_option('polkit') install_polkit = false install_polkit_pkla = false diff --git a/meson_options.txt b/meson_options.txt index adaedf3ce8..628ca1d797 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -352,6 +352,8 @@ option('smack', type : 'boolean', description : 'SMACK support') option('smack-run-label', type : 'string', description : 'run systemd --system itself with a specific SMACK label') +option('smack-default-process-label', type : 'string', + description : 'default SMACK label for executed processes') option('polkit', type : 'combo', choices : ['auto', 'true', 'false'], description : 'polkit support') option('ima', type : 'boolean', diff --git a/src/core/execute.c b/src/core/execute.c index 3be219fe1c..64b290d3e7 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -3240,6 +3240,7 @@ static int setup_credentials( #if ENABLE_SMACK static int setup_smack( + const Manager *manager, const ExecContext *context, int executable_fd) { int r; @@ -3251,20 +3252,17 @@ static int setup_smack( r = mac_smack_apply_pid(0, context->smack_process_label); if (r < 0) return r; - } -#ifdef SMACK_DEFAULT_PROCESS_LABEL - else { + } else if (manager->default_smack_process_label) { _cleanup_free_ char *exec_label = NULL; r = mac_smack_read_fd(executable_fd, SMACK_ATTR_EXEC, &exec_label); if (r < 0 && !IN_SET(r, -ENODATA, -EOPNOTSUPP)) return r; - r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL); + r = mac_smack_apply_pid(0, exec_label ? : manager->default_smack_process_label); if (r < 0) return r; } -#endif return 0; } @@ -4853,7 +4851,7 @@ static int exec_child( /* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the * process. This is the latest place before dropping capabilities. Other MAC context are set later. */ if (use_smack) { - r = setup_smack(context, executable_fd); + r = setup_smack(unit->manager, context, executable_fd); if (r < 0 && !context->smack_process_label_ignore) { *exit_status = EXIT_SMACK_PROCESS_LABEL; return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m"); diff --git a/src/core/main.c b/src/core/main.c index aee66051db..72d86d3efd 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -170,6 +170,7 @@ static void *arg_random_seed; static size_t arg_random_seed_size; static int arg_default_oom_score_adjust; static bool arg_default_oom_score_adjust_set; +static char *arg_default_smack_process_label; /* A copy of the original environment block */ static char **saved_env = NULL; @@ -658,6 +659,11 @@ static int parse_config_file(void) { { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action }, { "Manager", "DefaultOOMPolicy", config_parse_oom_policy, 0, &arg_default_oom_policy }, { "Manager", "DefaultOOMScoreAdjust", config_parse_oom_score_adjust, 0, NULL }, +#if ENABLE_SMACK + { "Manager", "DefaultSmackProcessLabel", config_parse_string, 0, &arg_default_smack_process_label }, +#else + { "Manager", "DefaultSmackProcessLabel", config_parse_warn_compat, DISABLED_CONFIGURATION, NULL }, +#endif {} }; @@ -731,6 +737,8 @@ static void set_manager_defaults(Manager *m) { m->default_oom_score_adjust_set = arg_default_oom_score_adjust_set; m->default_oom_score_adjust = arg_default_oom_score_adjust; + (void) manager_set_default_smack_process_label(m, arg_default_smack_process_label); + (void) manager_set_default_rlimits(m, arg_default_rlimit); (void) manager_default_environment(m); @@ -2421,6 +2429,7 @@ static void reset_arguments(void) { arg_clock_usec = 0; arg_default_oom_score_adjust_set = false; + arg_default_smack_process_label = mfree(arg_default_smack_process_label); } static void determine_default_oom_score_adjust(void) { diff --git a/src/core/manager.c b/src/core/manager.c index c7598b1e2a..e7e077dcf0 100644 --- a/src/core/manager.c +++ b/src/core/manager.c @@ -1549,6 +1549,8 @@ Manager* manager_free(Manager *m) { free(m->switch_root); free(m->switch_root_init); + free(m->default_smack_process_label); + rlimit_free_all(m->rlimit); assert(hashmap_isempty(m->units_requiring_mounts_for)); @@ -3880,6 +3882,19 @@ int manager_get_effective_environment(Manager *m, char ***ret) { return 0; } +int manager_set_default_smack_process_label(Manager *m, const char *label) { + assert(m); + +#ifdef SMACK_DEFAULT_PROCESS_LABEL + if (!label) + return free_and_strdup(&m->default_smack_process_label, SMACK_DEFAULT_PROCESS_LABEL); +#endif + if (streq_ptr(label, "/")) + return free_and_strdup(&m->default_smack_process_label, NULL); + + return free_and_strdup(&m->default_smack_process_label, label); +} + int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit) { assert(m); diff --git a/src/core/manager.h b/src/core/manager.h index fd5da52b7f..63cff7989d 100644 --- a/src/core/manager.h +++ b/src/core/manager.h @@ -457,6 +457,8 @@ struct Manager { /* Reference to RestrictFileSystems= BPF program */ struct restrict_fs_bpf *restrict_fs; + + char *default_smack_process_label; }; static inline usec_t manager_default_timeout_abort_usec(Manager *m) { @@ -509,6 +511,8 @@ int manager_transient_environment_add(Manager *m, char **plus); int manager_client_environment_modify(Manager *m, char **minus, char **plus); int manager_get_effective_environment(Manager *m, char ***ret); +int manager_set_default_smack_process_label(Manager *m, const char *label); + int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit); void manager_trigger_run_queue(Manager *m); diff --git a/src/core/system.conf.in b/src/core/system.conf.in index 67e55f10a2..ae1b47b2ba 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in @@ -74,3 +74,4 @@ #DefaultLimitRTPRIO= #DefaultLimitRTTIME= #DefaultOOMPolicy=stop +#DefaultSmackProcessLabel= diff --git a/src/core/user.conf.in b/src/core/user.conf.in index e0a7703525..c29068828c 100644 --- a/src/core/user.conf.in +++ b/src/core/user.conf.in @@ -47,3 +47,4 @@ #DefaultLimitNICE= #DefaultLimitRTPRIO= #DefaultLimitRTTIME= +#DefaultSmackProcessLabel= |